Shulou(Shulou.com)05/31 Report--

Editor to share with you what is the use of RGW S3 Authorize, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

So far, the authentication section of RGW S3 supports AWS v4 authentication, AWS v2 authentication and anonymous user authentication. The total entry for these three types of authentication is located in the rgw_process.cc::process_request () function, where the code for handling the authentication part is as follows:

Rgw_process.cc::process_request ()

| | _ RGW_Auth_S3::authorize () |

| | _ _ determine the authentication method according to the HTTP request parameters (AWS v4/AWS v2 / anonymous authentication) |

These three authentication methods are described below:

1. AWS v2 authentication method.

AWS v2 authentication is handled by the RGW_Auth_S3::authorize_v2 () function. Using AWS v2 authentication, the user first signs the authentication header data according to the user's secret key, and at the same time adds the authentication header data, signature data and user's access key information to the HTTP request data stream. After receiving the HTTP request data stream, the RGW extracts the above information, and then obtains the user information (user info) through the user's access key. Then use the secret key in the user information to sign the authentication header data in the HTTP request data stream, and finally judge whether the signature value calculated by RGW is consistent with the signature value in the HTTP request data stream to realize the user authentication.

The processing flow of the AWS v2 function is as follows:

RGW_Auth_S3::authorize ()

| | _ _ get the user's access key (ASWAccessKeyId) and signature string (Signature) through the HTTP request data stream |

| | _ _ check whether it is keystone authentication, and if so, use keystone authentication |

| | _ _ check whether it is LDAP authentication, and if so, use LDAP authentication |

| | _ _ obtain user info information through the user's access_key |

| | _ _ rgw_create_s3_canonical_header () gets authentication header data from HTTP request data stream |

The authentication header section includes the following information:

Req_info.method

Req_ info.env[HTTP _ CONTENT_MD5]

Req_ info.env[CONTENT _ TYPE]

Req_ info.env[HTTP _ DATE]

Req_info.x_meta_map

Req_info.request_uri

Req_info.args.get_sub_resources ()

| | _ rgw_get_s3_header_digest () |

| | _ _ ceph_armor () uses the secret key of user info to sign the authentication header and get the signature result |

| | _ _ compare whether the calculated signature is consistent with the passed auth_sign |

2. AWS v4 authentication.

AWS v4 authentication is handled by the RGW_Auth_S3::authorize_v4 () function. According to the latest AWS certification specification, AWS v4 certification is more comprehensive than AWS v2 certification.

The main data structures used by AWS v4 certification are as follows:

Struct rgw_aws4_auth {

String date; "X-Amz-Date"

String expires; "X-Amz-Expires"

String credential; "X-Amz-Credential"

String signedheaders; "X-Amz-SignedHeaders"

String signed_hdrs

String access_key_id

String credential_scope

String canonical_uri

String canonical_qs

String signature; "X-Amz-Signature"

String new_signature

String payload_hash

}

The AWS v4 certification process is as follows:

RGW_Auth_S3::authorize_v4 ()

| | _ _ create struct rgw_aws4_auth object |

| | _ _ initialize the struct rgw_aws4_auth object based on the HTTP request data stream |

| | _ _ check whether the struct rgw_aws4_auth::credential format is correct |

| | _ _ get access key from struct rgw_aws4_auth::credential (from the beginning to the first "/") |

| | _ _ rgw_get_user_info_by_access_key () gets the user information user info through access key |

| | _ _ parse the info.request_params string in the HTTP request string to get canonical_qs_ map [key] = value |

| | _ _ write the contents of canonical_qs_map to struct rgw_aws4_auth::cannonical_qs according to the format key=value&key=value |

| | _ _ parse the struct rgw_aws4_auth::signedheaders string to get canonical_hdrs_ map [token] = token_value |

| | _ _ write to struct rgw_aws4_auth::canonical_hdrs according to the format token:value\ ntoken: valuesauce canonical _ hdrs_map |

| | _ _ set struct rgw_aws4_auth::signed_hdrs = struct rgw_aws4_auth::signedheaders |

| | _ authorize_v4_complete () |

| | _ rgw_create_s3_v4_canonical_request () |

| | _ rgw_assemble_s3_v4_canonical_request () |

| | _ rgw_hash_s3_string_sha256 () |

| | _ rgw_create_s3_v4_string_to_sign () |

| | _ rgw_assemble_s3_v4_string_to_sign () |

| | _ rgw_calculate_s3_v4_aws_signature () |

| | _ _ compare whether the struct rgw_aws4_auth::signature is consistent with the calculated struct rgw_aws4_auth::new_signature |

3. Anonymous user authentication.

Anonymous user authentication is handled by the rgw_rest_s3.cc::init_anon_user () function. The anonymous user authentication process is as follows:

Init_anon_user ()

| | _ rgw_get_anon_user () |

| | _ _ set user information RGWUserInfo.user_id = RGW_USER_ANON_ID |

| | _ _ clear user information RGWUserInfo.display_name and access_key |

| | _ _ set struct req_state::perm_mask = RGW_PERM_FULL_CONTROL |

The above is all the content of the article "what is the use of RGW S3 Authorize?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.